Nikto
Nikto is a free software command-line scanner for finding the vulnerabilities (ex. dangerous files/CGIs, outdated server software) on webservers.
You can scan by adding URL or IP:
See the documentation for a full list of major features and how to use them.
Here you can find some of them:
SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)
Full HTTP proxy support
Checks for outdated server components
Save reports in plain text, XML, HTML, NBE or CSV
Template engine to easily customize reports
Scan multiple ports on a server, or multiple servers via input file (including nmap output)
LibWhisker's IDS encoding techniques
Easily updated via command line
Identifies installed software via headers, favicons and files
Host authentication with Basic and NTLM
Subdomain guessing
Apache and cgiwrap username enumeration
Mutation techniques to "fish" for content on web servers
Scan tuning to include or exclude entire classes of vulnerability checks
Guess credentials for authorization realms (including many default id/pw combos)
Authorization guessing handles any directory, not just the root directory
Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
Reports "unusual" headers seen
Interactive status, pause and changes to verbosity settings
Save full request/response for positive tests
Replay saved positive requests
Maximum execution time per target
Auto-pause at a specified time
Checks for common "parking" sites
Logging to Metasploit
Thorough documentation
Also, it is important to know that web scanners can give some false positives. Therefore, you need to check detected threats manually :
Remember that it might be illegal to use this toll if you don’t have the owner’s permission to do it.
More:
https://tools.kali.org/information-gathering/nikto
https://cirt.net/nikto2-docs/
